Amazon Said You Owe $879. The Phone Number Was the Payload.

A charge notification from amazon[.]de landed in an English-speaking recipient's inbox. The sender address was konto-aktualisierung@amazon[.]de. DKIM passed for both amazon[.]de and amazonses[.]com. DMARC passed. Every link in the message pointed to legitimate Amazon gp/r.html redirect endpoints and scanned clean. There were no attachments.

The body claimed an $879 charge. No order ID, no itemization, no recipient name. The only action item was a phone number: (865) 292-7594. That number is the entire attack.

Authenticated From End to End

The message originated from Amazon SES infrastructure at 54[.]240[.]1[.]30 (a1-30[.]smtp-out[.]eu-west-1[.]amazonses[.]com), passing SPF at the initial hop. DKIM signatures validated for both amazon[.]de and amazonses[.]com. DMARC aligned and passed for header.from=amazon[.]de.

A downstream Votiro relay at 44[.]206[.]222[.]91 caused an SPF failure for the return-path domain driftpulse[.]de, but by that point the message had already cleared authentication at the sending origin. SRS bounce handling in the return-path (bounces+SRS=sIDxa=C5@driftpulse[.]de) confirms the message was relayed through intermediary infrastructure after leaving Amazon's servers.

The result: an email that presents a clean authentication record from Amazon itself. Secure email gateways that rely on sender reputation and domain authentication had no signal to act on. The sending IP is Amazon's. The DKIM signature is Amazon's. The links resolve to Amazon's domains.

See Your Risk: Calculate how many threats your SEG is missing

The Content Tells a Different Story

The email claimed to be from amazon[.]de, the German marketplace. The charge was stated in USD. That mismatch alone is a strong signal. Amazon.de transactional emails display amounts in euros. An $879 charge denominated in U.S. dollars from a German storefront indicates a campaign targeting English-speaking recipients without localizing the financial details.

Beyond the currency, the message lacked every element standard in a real Amazon transaction notification: no order number, no item description, no shipping address, no personalized greeting. The grammar was unprofessional. Amazon logos and a German-language footer were present, but the content read like a template built for volume, not precision.

This is the behavioral surface that Adaptive AI and community-driven threat intelligence evaluate. Authentication says the email came from Amazon's infrastructure. Content analysis says the message does not match how Amazon actually communicates.

Why Link Scanning Cannot Catch This

Every URL in the message used Amazon's own gp/r.html redirect endpoints. SafeLinks rewrites were applied. All links scanned clean. There were no attachments. There was no credential harvesting page, no malware, no redirect chain to an attacker-controlled domain.

The payload is the phone number. TOAD (Telephone-Oriented Attack Delivery) campaigns are built to operate in the gap between what scanners can evaluate and what actually harms the recipient. Once the call connects, the attacker controls the conversation: fake refund flows, remote access requests, credential verification pretexts.

Link scanners, sandboxes, and URL reputation engines have nothing to flag here. Detection depends on recognizing that the content of the message is inconsistent with the identity of the sender, a judgment that requires behavioral context, not signature matching.

Indicators of Compromise